Denial of Service and Countermeasures

Introduction

The function of a denial of service attack is fundamentally to flood
its target machine with so much traffic that it prevents it from being
accessible to any other requests or providing services. The target machine
is kept so busy responding to the traffic it is receiving from its attacker
that it has insufficient resources to respond to legitimate traffic on
the network. A distributed denial of service attack adds a many-to-one
dimension to these forms of attacks. This form of denial of service generally
involves a machine containing a master program and several machines which
have been enslaved as zombie machines. They are referred to as zombies
as these machines which are originally the victim of a denial of service
attack unwittingly become an attacker. These zombies or daemons reside
on the victim's machine until they are instructed by the master machine
to attack another target. This makes it almost impossible to track down
the real attacker as the attack is coming from zombie machines which have
no knowledge of the origin of the attack.

In this paper we will discuss some of the more commonly known methods
of both denial of service and distributed denial of service attacks and
the possible countermeasures.

Smurf Attack:
This form of an attack involves sending Internet Control Message Protocol
(ICMP) or ping requests to multiple Internet Protocol (IP) broadcast
addresses. All of these messages have a spoofed source address of the
intended victim. The hosts receiving the ICMP echo request upon accepting
it reply with an echo to the source address, which in this case is the
target of the attack. [1] The weight of this
attack is therefore effectively multiplied by the number of responding
hosts. If the attack took place on a multi-broadcast network there could
potentially be hundreds of machines to reply to each packet sent. [2]

UDP Flood:
A UDP flood, also known as a fraggle, is a cousin to the Smurf attack.
This is based on UDP echo and character generator (chargen). It uses
a forged UDP packet to connect the echo service on one machine to the
chargen on another. These two machines then use up all available bandwidth,
sending characters back and forth between themselves.

SYN Flood:
A SYN flood exploits the TCP standard 3-way handshake protocol. The attacker
initiates a connect request to the server and then ignores the acknowledgement
(ACK). This forces the server to wait for the ACK from the attacker,
wasting time and resources. A server can at any given time only process
a fixed number of requests and so this form of attack can effectively
block all legitimate traffic.

The following are examples of distributed denial of service attacks and
the way in which the zombie machines in each case are controlled. There
are numerous variations of this kind of attack in existence.

Trinoo:
The master program is given the command to commence the attack by the attacker
using TCP. The zombie machines are then given their orders by the master
program through UDP packets. The zombie machines then launch a UDP flood
attack on the target victim. [1]

Tribe Flood Network:
The communication between the attacker and the master control program in
this instance takes place over a command line interface. The control
program then communicates with the zombie machine using ICMP echo reply
packets. The attack zombies then in turn implement Smurf, SYN flood and
UDP flood attacks.

In the past year or more, hackers have begun turning their armies of
zombie computers to gambling sites, crippling them when they're needed
most, at large events such as Wimbledon and the Super Bowl. The demands
are simple, 'pay us money, or your system will be unusable'. These extortionists
have demanded anything between $20,000 and $50,000 in recompense. With
gambling sites expected to lose literally millions while these attacks
are continuing, most pay up.

Shown above is a performance diagram of some UK betting sites which were
targeted and disrupted in June 2004. It's noticeable just how disastrous
these attacks can be if they bring some of these main sites to their knees
for several hours.

Britain's National Hi-Tech Crime Unit has been investigating such cases.
Recently, in association with Russian police, three "masterminds"[4] were
arrested in connection with targeting gambling sites

"authorities say the suspects had netted hundreds of thousands of
dollars from October 2003 through early 2004 in extortion payments."[4]

Countermeasures

There are several stages involved in combating denial of service attacks.
The first is recognising that you are undergoing an attack. The second
is determining what kind of attack is being executed. For example is it
a single source attack or are there multiple sources being used? The final
stage involves counteracting the attack. Different methods are utilised
to combat different types of attacks and knowledge of how the attack is
being performed can help in choosing the best solution. Different techniques
can also be used depending on whether or not the network has mobile components
in it. We will illustrate some techniques that have been suggested to determine
the type of attack and some of the countermeasures that can be instigated
in response.

Characterising the type of Attack:

One approach is simply to analyse the header fields of the packets being
used in an attack. However due to the ease with which attackers can forge
most packet information analysing something as obvious as the source field
is futile. Heidemann et al. [5] suggest that other
fields such as the fragment ID or time to live may be utilised. Packets
generated by the same host will contain monotonically increasing ID values.
Time to live values will remain constant for the same source-destination
pair assuming the routes remain relatively stable during the attack. These
characteristics can be used to classify the attacks as single or multi-source.

Heidemann also proposes analysing the ramp-up behaviour of the attack.
The intensity with which an attack increases, or 'ramps-up', over time
can be used as an indication of the number sources being used in the attack.
With multiple sources the intensity of packets being sent to the victim
tends to build up more slowly than for a single attack. The signal to start
the attack will reach the zombie computers across the network at slightly
different times due to path latency. Their attacks will therefore start
at different times and so build up more slowly than single source attacks
(which typically begin at full strength). [Figure 3] illustrates
the ramp up characteristic of a multi-source attack. There is a three second
ramp up at about 27 seconds as the number of attackers increases from one
to six. This method is not robust however as an attacker could create an
artificial ramp-up from a single site.

Counteracting DoS attacks:

An obvious approach to deal with DDoS attacks would simply be to trace
the attacker and prevent those responsible from controlling the zombie
computers which attack the computer or network. However this is not possible
because usually zombies are controlled by an attack control mechanism,
which is of course remotely controlled by the attacker. To make tracing
the attack significantly more difficult communication between the zombie,
control mechanism and attacker is often encrypted. [6]

There are a number of proposed schemes to deal with DDoS attacks. A method
worthy of mentioning is the Center Track approach devised by Robert Stone.
This works by creating special tracking routers, which links all edge routers
to a central tracking router. This is referred to as an overlay network.
During an attack the victim is routed through this network dynamically.
Then hop-by-hop tracking is used to trace back to the access point of the
attacking source, beginning from the tracking router that is closest to
the victim. A major advantage to this scheme is the reduced number of hops
that is required to trace back to the source of the attack. However if
this system is not implemented perfectly it could mean that, even the tiniest
error could severely disrupt the system. [6] For
most, Stone's approach is a little too volatile. He also suggests another
method. All edge routers store information concerning the traffic that
passes through them in a database. This should include information such
as the source and destination address. In the event of an attack, this
database is searched based on the signature of the attack so as to determine
the ingress adjacency. This method does not require any tracking hops to
trace the ingress edge. Also tracing is not limited to the duration of
the attack. [6]

Tupakula and Varadharajan suggest a Packet Marking Technique.

"Our aim is to prevent the attack at the nearest point to the source
of attack (that is the ingress edge)"[6]

Their technique involves a Controller-Agent that is assumed to be an
entirely trusted entity. This entity is responsible for the management
of DDoS attacks. Agents may be implemented on either transit or edge routers,
which are both internal routers that belong to the ISP domain. With the
use of Packet Marking the routers would be able to identify marked packets
from both other agents and attackers. It is important that only the Ingress
agent should mark the packet. If an agent receives a marked packet then
it should easily determine whether it was marked from an authorized agent
or an attacker. The packet should be marked in such a way that the agent
that first marked the packet can be identified with a minimum number of
packets. Previous methods used probabilistic techniques to mark the packet
thus requiring a substantial amount of packets to calculate the total path
traversed by the attack traffic, which of course is time consuming. An
ideal situation would only require observing a single packet. So Tupakula
and Varadharajan mark packets using an algorithm based on their fragment
ID that may allow the ingress packet to be calculated by looking at only
one packet. If a packet does not have a valid marker and is deduced to
have come from an attacker then it will be dropped. [6]

Counteracting DoS attacks on a wireless network:

Denial of service attacks in mobile networks can involve different techniques
to those with no wireless component. Either bypassing MAC-layer protocols
and bombarding the victim with packets or simply emitting a signal targeted
at jamming a particular channel accomplishes one attack. A solution for
this type of attack which utilises channel surfing, is proposed by Xu et
al. [7]

"Typically, when radio devices communicate they operate on a single
channel. When an adversary comes in range and blocks the use of a specific
channel, it is natural to migrate to another channel."[7]

The two devices should of course both migrate to orthogonal channels
in order to avoid any interference with that attackers jamming signal.
If the attacker is using the same technology as the devices it is jamming
it is important to know how many orthogonal channels are available to switch
to [7]. It is of course conceivable that the attacker
would periodically check to see if it is still interfering with the two
devices and change the channel that it is jamming on if not. The obvious
solution is to change to the next orthogonal channel above or below the
one being used. This would however make it easy to track which channels
the devices have changed to. Instead it is proposed that the devices should
generate the next channel pseudo-randomly and communicate this through
a shared key [7].

Conclusion

Denial of service and distributed denial of service attacks cause a major
disruption to businesses world wide. Launching a DDoS attack is trivial
in comparison to the amount of time and resources spent on creating an
effective countermeasure. New techniques for detecting and combating these
attacks are constantly being created, however new forms of attacks are
also being created rendering these countermeasures obsolete. This is an
ongoing problem to which there is no permanent solution in sight.

[5] Alefiya Hussain, John Heidemann and Christos
Papadopoulos, Denial-of-service: A framework for classifying denial of
service attacks. In Proceedings of the 2003 conference on Applications,
technologies, architectures, and protocols for computer communications,
August 2003.

[6] Udaya Kiran Tupakula and Vijay Varadharajan,
A practical method to counteract denial of service attacks. Proceedings
of the twenty-sixth Australasian computer science conference on Conference
in research and practice in information technology - Volume 16, February
2003.

[Figure 3] Alefiya Hussain, John Heidemann and
Christos Papadopoulos, Denial-of-service: A framework for classifying denial
of service attacks. In Proceedings of the 2003 conference on Applications,
technologies, architectures, and protocols for computer communications,
August 2003.